LegionRelay
LegionRelay is a lightweight PowerShell-based remote access trojan (RAT) / REST client associated with the GREYVIBE threat actor. It communicates with command-and-control infrastructure via REST API methods and has been used in campaigns targeting Ukrainian and broader Eastern European entities since at least 2025. Reported capabilities include file enumeration and theft, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration or messaging database enumeration, and setup of RDP access. GREYVIBE delivered LegionRelay through multiple social-engineering-driven intrusion chains, including fake Ukrainian adult-club websites in the PrincessClub campaign and charity-themed websites posing as foundations supporting the Armed Forces of Ukraine in the DroneLink campaign, where it was delivered alongside WireGuard VPN software. Victim sectors attributed to GREYVIBE activity include military, government, civilian, and business organizations, with confirmed Ukrainian combatants among targets in related campaigns. WithSecure reported design flaws in LegionRelay that exposed limited backend functionality and enabled extended monitoring of GREYVIBE activity, and assessed that the malware was likely developed with assistance from generative AI / LLM tools.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Alternatively, the actors deploy a lightweight REST client called LegionRelay . This compact binary facilitates file theft, screenshot extraction, and messaging database enumeration .
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueThe group has used fake female personas on Telegram, including via local dating channels, to build trust with victims before directing them to the lure sites or delivering malware directly.
Resource Development
1 techniqueObserved indicators suggest AI-assisted activity across: Resource development, including the development of obfuscation and loader scripts (LOOKVALJS, DAYLIGHT, TEASOUP), full-stack development of LegionRelay, and backend infrastructure setup and configuration.
Initial Access
2 techniquesA notable and persistent campaign, tracked as PrincessClub, used fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows.
Initially, the threat actors initiated at least six unique email-based campaigns. These malicious messages deliver dangerous compression archives hosted on popular public storage services. Furthermore, the files contain automated script loaders that deploy localized documents.
Execution
2 techniquesPhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands.
Subsequently, the interface instructs landing users to execute localized commands. These commands quietly spawn the primary backdoor client while redirecting users to safe destinations.
Stealth
2 techniquesAcross these campaigns, the group has relied on custom developed obfuscators, loaders, and malware... WithSecure found evidence of AI assistance across multiple parts of the operation... obfuscation scripts...
PhantomClick uses fake CAPTCHA pages impersonating Zoom and LAPAS... DroneLink uses websites posing as charitable foundations supporting the Ukrainian military... Nebo uses a FallSpy sample designed to mimic a Russian military login screen...
Credential Access
2 techniquesWithSecure observed operators using LegionRelay for file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, RDP access setup, among other actions.
LegionRelay is a lightweight PowerShell-based RAT that supports ... browser data theft...
Discovery
1 techniqueWithSecure observed operators using LegionRelay for file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, RDP access setup, among other actions.
Lateral Movement
1 techniqueLegionRelay is a lightweight PowerShell-based RAT that supports ... RDP access setup.
Collection
1 techniqueThis compact binary facilitates file theft, screenshot extraction, and messaging database enumeration.
Command and Control
2 techniquesThis client establishes secure websocket connections to interact with command servers. Alternatively, the actors deploy a lightweight REST client called LegionRelay.
DroneLink uses websites posing as charitable foundations supporting the Ukrainian military to deliver WireGuard VPN software alongside a lightweight RAT called LegionRelay.
Exfiltration
1 techniqueLegionRelay is a lightweight PowerShell-based RAT that supports ... file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration...
Impact
1 techniqueThe deployment of XMRig miner on a small number of LegionRelay-infected machines
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A lightweight REST-based backdoor/client used for data theft, screenshot capture, and messaging database enumeration. The report also notes likely LLM-assisted development and obfuscation-related design flaws.
A lightweight remote access trojan delivered alongside WireGuard through fake charity-themed websites; researchers noted design flaws that exposed backend functionality.
A lightweight PowerShell RAT used by GREYVIBE that supports file enumeration and exfiltration, screenshot capture, browser credential/data theft, Telegram and WhatsApp data theft, and RDP access setup.
Malware used by the GREYVIBE threat group in operations targeting Ukrainian entities; design flaws exposed parts of its backend infrastructure. The report suggests it may have been developed with LLM assistance.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.